Commit Graph

5607 Commits

Author SHA1 Message Date
Shreya e6c9377908 cc: Link `InfoField` widget to ransomware's `info_box` field in UI schema 2021-07-09 20:14:16 +05:30
Shreya 844399b608 cc: Add new `InfoField` component 2021-07-09 20:12:52 +05:30
Shreya 4320d3e08c cc: Change config field descriptions and add `info_box` field to ransomware config schema 2021-07-09 20:12:34 +05:30
Mike Salvatore fb50ba1e55 Agent: Remove unnecessary `if` from _find_files() 2021-07-08 12:52:05 -04:00
Mike Salvatore bb554d923d Agent: Rename _valid_file_extensions... -> _targeted_file_extensions 2021-07-08 12:52:05 -04:00
Mike Salvatore 24fdb9e299
Merge pull request #1307 from guardicore/ransomware-inject-copy-dependency
Ransomware README improvements
2021-07-08 12:50:32 -04:00
Mike Salvatore 92c5c3b682 Agent: Extract method _copy_file() from _leave_readme()
Reworks the logic in _leave_readme() to reduce indenting and improve
clarity and extracts the logic to copy the file into _copy_readme_file()
2021-07-08 12:04:50 -04:00
Mike Salvatore 7454ee72b2 Agent: Switch copy_file typehint from str to Path 2021-07-08 12:04:12 -04:00
Mike Salvatore 064525e6b9 Agent: Don't try to create README.txt if one already exists 2021-07-08 11:59:50 -04:00
Mike Salvatore f0e9109f64 Agent: Inject copy_file callable into RansomwarePayload
In order to test certain conditions, our options are to either
monkeypatch shutil.copyfile(), or inject a callable into the
RansomwarePayload.  Monkeypatching shutil.copyfile() could lead to
issues down the road. For example, if the implementation of
`_leave_readme()` is changed to no longer use copyfile(), a test that
asserts that copyfile() has not been called will pass, even though a
file may have been copied.
2021-07-08 11:23:15 -04:00
Mike Salvatore e1b08079f1
Merge pull request #1305 from guardicore/ransomware-skip-encryption-test-refactor
Island: Refactor test_encryption_skipped_if_no_directory()
2021-07-08 06:37:49 -04:00
Mike Salvatore ecb20dc99a Island: Refactor test_encryption_skipped_if_no_directory()
The old implementation tightly coupled the test to the specific
implementation of the ransomware payload. Since the ransomware payload
provides insight into its actions in the form of telemetry, it should be
sufficient to test whether or not any telemetries were sent in order to
determine whether or not encryption was skipped. This way, the test can
remain decoupled from the internal workings of the ransomware payload.
2021-07-07 19:14:45 -04:00
Mike Salvatore 0db85ae407
Merge pull request #1300 from guardicore/expand-path-returns-path
Expand path returns path
2021-07-07 19:11:10 -04:00
Mike Salvatore ae7687243f Island: Return Path object from expand_path() 2021-07-07 18:49:50 -04:00
Mike Salvatore 8508a9f98f Island: Remove unnecessary expand_path() call 2021-07-07 08:26:37 -04:00
VakarisZ 9ed2145810
Merge pull request #1303 from guardicore/ransomeware_cwd_encryption_bugfix
Ransomeware bugfix: cwd encryption by default
2021-07-07 14:20:39 +03:00
VakarisZ 726e180797 Add a log message explaining why ransomware target directory is set to none 2021-07-07 13:02:10 +03:00
VakarisZ d33fc26fe3 Add a UT to test if ransomware payload tries to encrypt files if "linux_target_dir" and "windows_target_dir" inputs are empty.
We have empty "linux_target_dir" and "windows_target_dir" by default so it's important that ransomware payload doesn't try to encrypt files by default, without users' knowledge.
2021-07-07 11:45:12 +03:00
VakarisZ d3beebf995 Change ransomware_payload.py to not encrypt files in CWD if no directory was specified 2021-07-07 11:41:42 +03:00
VakarisZ ca1712cdd6 Extract the logic of determining target directory for ransomware payload into a separate method 2021-07-07 11:40:56 +03:00
VakarisZ bd60bef35f Change the expand_path method in file_utils.py to throw an error if an empty file path is provided instead of expanding it to current working directory 2021-07-07 11:23:10 +03:00
VakarisZ 6282cd0de3 Add a UT to test if ransomware payload tries to encrypt files if "linux_target_dir" and "windows_target_dir" inputs are empty.
We have empty "linux_target_dir" and "windows_target_dir" by default so it's important that ransomware payload doesn't try to encrypt files by default, without users' knowledge.
2021-07-07 10:48:35 +03:00
Mike Salvatore 5a77785164 Tests: Remove Path -> str implicit conversion warning 2021-07-06 11:56:25 -04:00
Mike Salvatore a512fd947a Tests: Return Path object from patched_home_env() fixture 2021-07-06 11:31:12 -04:00
Mike Salvatore 5ac574bd17 Tests: Fix failing expand_path() tests 2021-07-06 11:29:42 -04:00
Mike Salvatore 8dd1aa25ac
Merge pull request #1292 from guardicore/ransomware_dir_fix
Ransomware: bugfix for directories
2021-07-06 11:25:13 -04:00
Shreya Malviya 999399ae2d
Merge pull request #1291 from guardicore/ransomware-reporting-tab
Add ransomware report tab
2021-07-06 19:59:07 +05:30
Shreya 53faf5a3db tests: Rename test file to avoid "import name mismatch" error by pytest 2021-07-06 19:58:24 +05:30
Shreya c802914cf6 tests: Update tests according to previous changes with `expand_path()` 2021-07-06 19:46:08 +05:30
Shreya 96c3a2ed12 agent, island: Replace import path for `expand_path()` everywhere 2021-07-06 19:45:08 +05:30
Mike Salvatore 6622fc0ff5 Island: Do not set state from props in RansomwareReport 2021-07-06 10:10:33 -04:00
Shreya d0a94e6223 agent, common, island: Move file util `expand_path` to `common/` 2021-07-06 19:40:10 +05:30
Mike Salvatore b1ab2525fd
Merge pull request #1288 from guardicore/ransomware-target-dir-validators
Validate ransomware target directories
2021-07-06 09:50:47 -04:00
Shreya ded6ce0cd0 agent: Use `expand_path()` instead of `os.path` functions in ransomware payload 2021-07-06 19:18:52 +05:30
Mike Salvatore 4bec9576aa Island: Remove extra + from windows environment variable regex 2021-07-06 09:38:32 -04:00
Mike Salvatore 638db3d7e0 Island: Escape '-' character in environment variable regex
Co-authored-by: Shreya Malviya <shreya.malviya@gmail.com>
2021-07-06 09:38:32 -04:00
Mike Salvatore d2dda4519f Island: Allow Windows ransomware target paths to be UNC paths 2021-07-06 09:38:32 -04:00
Mike Salvatore 9d4ee88e09 Island: Do not allow Windows ransomware target paths beginning with "$"
As far as I can tell, environment variables in Windows look like %NAME%.
Variables in powershell begin with $, but file explorer doesn't
recognize paths beginning with $ as valid.
2021-07-06 09:38:32 -04:00
Mike Salvatore df6082b50a Island: Refactor linux/windows ransomware path regexes
Refactored because the escape characters were cumbersome and difficult
to read when regexes were defined as strings. Also allow special
characters in Windows environment variable names as per
https://ss64.com/nt/syntax-variables.html
2021-07-06 09:38:32 -04:00
Shreya dc305d8e16 cc: Add validation format (starts wih `~`) for ransomware linux target directory 2021-07-06 09:38:32 -04:00
Shreya f8a062876c agent: Create `file_utils.py` and add `expand_path()` to it 2021-07-06 19:07:53 +05:30
Shreya e91d7a6282 agent: Change type hint for FileEncryption's `__init__()`'s `filepath` 2021-07-06 19:04:55 +05:30
Mike Salvatore b17b85d7e7
Merge pull request #1299 from guardicore/delimiter-windows-certificate
island: Add delimiter to windows create_certificate
2021-07-06 09:23:30 -04:00
Mike Salvatore 0fd88b8097 Merge pull request #1297 from guardicore/ransomware-report-api-endpoint 2021-07-06 09:22:11 -04:00
Mike Salvatore 832704dd1c
Merge pull request #1298 from guardicore/gevent-ssl-traceback
Gevent ssl traceback
2021-07-06 09:19:44 -04:00
Mike Salvatore 96fc33025e Island: Redirect gevent tracebacks to file and log exceptions
By default, gevent prints exceptions and tracebacks to stderr. This is
obnoxious as it results in large tracebacks intermixed with the output
that the logger prints to the console. This commit redirects this data
to {DATA_DIR}/gevent_exceptions.log. Unfortunately, this would mean that
the user might be left without any indication these exceptions had
occurred, unless they take the time to inspect the
gevent_exceptions.log. Therefore, when an excepion occurs, a message
with just the exception (not the traceback) is logged to WARNING.

Fixes #859
2021-07-06 08:39:30 -04:00
Shreya 4d8258ddbd cc: Change order of report tab imports to match the order in which they're shown 2021-07-06 16:23:27 +05:30
Shreya c78c955551 CHANGELOG: Add ransomware report API endpoint 2021-07-06 16:16:35 +05:30
Shreya 6d32f85120 island: Remove responsibility to decide whether the report should be displayed, from the backend 2021-07-06 16:14:22 +05:30
Ilija Lazoroski 695e266943 island: Add delimiter to windows create_certificate 2021-07-06 12:43:32 +02:00